Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 21:07

General

  • Target

    06e84fbd8e5d54001214f5ecb9badc30N.exe

  • Size

    6.3MB

  • MD5

    06e84fbd8e5d54001214f5ecb9badc30

  • SHA1

    2c4cdcba29b651e180b6cbd671b48f7921049682

  • SHA256

    8ce6910a38feb7254289c5b3a3b40ca88a0526a2c43e870f765b2afd6fd8cdfa

  • SHA512

    e53492167b67c24acd8e84a5520eb5bdb2e67103db9e4be4a4e42d4b91900da9551436afff99d6559ec725d08cb756de0994b26751dc231ce70e97ca7d0db276

  • SSDEEP

    98304:tn2UgXq9ouFkULGyqobNq1Mft5rG6uPO276HoVNmnolMsFiHtGh1hN5DTlF01AD4:V2S9+ULdNPtbuPZOOmnqogHh/W

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06e84fbd8e5d54001214f5ecb9badc30N.exe
    "C:\Users\Admin\AppData\Local\Temp\06e84fbd8e5d54001214f5ecb9badc30N.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\06e84fbd8e5d54001214f5ecb9badc30N.sho
      C:\Users\Admin\AppData\Local\Temp\06e84fbd8e5d54001214f5ecb9badc30N.sho
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 424
        3⤵
        • Program crash
        PID:4584
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1064 -ip 1064
    1⤵
      PID:5076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\06e84fbd8e5d54001214f5ecb9badc30N.sho

      Filesize

      6.2MB

      MD5

      f1e82d254e13a870fbf61316b1769d71

      SHA1

      f593a3c5c116fffb99e67f32bbf01add71bcb384

      SHA256

      15ac52a5aec8e688aa34ddc707b8bd4d42efea8eaf9fe9c5600b56c70e255f2a

      SHA512

      a5869b53cca1aa85b2cee7b50399b9a0fb065492b891c7df21681d88086fe98500bf324cf7a8a268c3a053c5477936b2f6d752910441d9ae12d08153a785c3d6

    • C:\Windows\SysWOW64\Shohdi.hdi

      Filesize

      6.3MB

      MD5

      06e84fbd8e5d54001214f5ecb9badc30

      SHA1

      2c4cdcba29b651e180b6cbd671b48f7921049682

      SHA256

      8ce6910a38feb7254289c5b3a3b40ca88a0526a2c43e870f765b2afd6fd8cdfa

      SHA512

      e53492167b67c24acd8e84a5520eb5bdb2e67103db9e4be4a4e42d4b91900da9551436afff99d6559ec725d08cb756de0994b26751dc231ce70e97ca7d0db276